feat(cli): add --tf-exclude-downloaded-modules flag

[nikpivkin]

Description

Added the --exclude-downloaded-modules flag, which removes the results for downloaded terraform modules.

Before

2023-07-12T11:17:09.040+0600    INFO    Misconfiguration scanning is enabled
2023-07-12T11:17:09.400+0600    INFO    Detected config files: 2

terraform-aws-modules/security-group/aws/main.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows ingress from public internet.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/security-group/aws/main.tf:197-204
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 191   resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
 ...   
 197 ┌   cidr_blocks = split(
 198 │     ",",
 199 │     lookup(
 200 │       var.ingress_with_cidr_blocks[count.index],
 201 │       "cidr_blocks",
 202 │       join(",", var.ingress_cidr_blocks),
 203 └     ),
 ...   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

After

2023-07-12T11:16:11.484+0600    INFO    Misconfiguration scanning is enabled
2023-07-12T11:16:11.862+0600    INFO    Detected config files: 2

Related issues

• Close feat: Trivy lacks tfsec option --exclude-downloaded-modules #4618

Related PRs

• test(terraform): add a test for the skip downloaded option defsec#1384

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[simar7]

it lgtm, but we should test this option in defsec. It should be added as a test here alongside the other options we have: https://github.com/aquasecurity/defsec/blob/master/pkg/scanners/terraform/scanner_test.go

[nikpivkin]

@simar7 I added a test.

[simar7]

Nice lgtm!